Slashdot Mirror

← Back to Stories (view on slashdot.org)

Storm Hits Blogger Network

Posted by CowboyNeal on from the ridin'-the-storm-out dept.

ancientribe writes "Researchers have discovered the Storm Trojan nestled in hundreds of blog sites in Google's Blogger network, according to an article in Dark Reading. And this isn't simple comment spam, but actual blogs that post spam, and now, Storm executable files. A researcher who's been tracking the Storm-infested blog sites says he's working with Google to clean up this latest appearance of Storm."

9 of 89 comments (clear)

  1. Passing Fad by Anonymous Coward · · Score: 5, Insightful

    Two articles about 'blogging' in a row. I really hope this isn't what my generation will be known for.

    1. Re:Passing Fad by Opportunist · · Score: 5, Funny

      Relax. You can't be worse off than the Disco generation.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Skynet by courtarro · · Score: 4, Funny

    Did anyone else see Terminator 3? They predicted this "Storm" virus. It was only a matter of time before it became self-aware and began making emo blog posts without human intervention.

  3. Sad... by SanityInAnarchy · · Score: 5, Informative

    The sad part is, from what I've seen and heard, this Storm "virus" does need human intervention.

    It doesn't do anything technically new. The only thing new here is the particular brand of social engineering used, and it bothers me that this still works.

    --
    Don't thank God, thank a doctor!
    1. Re:Sad... by DaSilva_XiaoPuTao · · Score: 4, Informative

      While the email's did contain a link that you needed to follow, I believe the site tried to exploit browser vulnerabilities to try infect your computer. In fact I think it generates different pages based on your user agent string to try and exploit the different browsers.

      With regards to the link, they were also masked well to show up as a youtube url.

      All in all I think this means that you don't have to be a total idiot to get infected, maybe just a little naive.

    2. Re:Sad... by SanityInAnarchy · · Score: 4, Informative

      With regards to the link, they were also masked well to show up as a youtube url.

      If by "masked well", you mean:

      <a href="http://136.159.166.125/">http://www.youtube. com/watch?v=BmcXqxdPoP6</a>

      Yeah, I'd say that's more than "just a little naive" -- it's downright stupid. I don't know how Outlook does it, but Kontact/Kmail does two things: First, it defaults to displaying everything as text if it can, with a big red box at the top that says:

      Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here.

      (Link goes nowhere, as this is Slashdot, not actually Kmail.)

      After clicking that link, the HTML is shown, but without images. A similar box will be there if there are external images, allowing you to turn them on. But even with everything enabled, it's still easy as hell -- mouseover the youtube link, and the nappy IP address link shows up in the status bar.

      Ok, fine, let's assume that someone can be "just a little naive" at that point -- which I think is a stretch, in this day and age; someone who doesn't know that much should take a course before touching a computer.

      In that case, the last time I tried to do that, it opened up Konqueror, which popped up a window asking me what I wanted to do with this file. HINT, HINT, HUGE FUCKING HINT -- the file ends in .exe, which again, every computer user should know, means "executable". But even if they don't, every computer user should at least know not to download/open random files from the Internet, unless it's a format they recognize.

      How long did it take us to convince computer users to not open attachments? And now this takes the world by storm...

      In IE, if I remember, this is going to give you one prompt to download it or "open" it, and after you click "open", it will download, and then give you at least one, if not two more prompts about the program being unsigned. If you're running Vista, it will give you yet another prompt, telling you that this program needs your permission to continue fucking with your computer.

      That's -- let me count -- about five separate clues that you don't even have to go out of your way to run into -- realistically, probably three or four. Not to mention the fact that my spamfilter caught most of these before I even started seeing them and training on them, and that example I just pasted to you contains the email address "jerk2werk@nehp.net" -- yet another obvious clue; I don't know anyone with an email address like that.

      And there are yet more clues if you start digging -- turning on "all headers", you can see two "Received:" headers and one "Sender:" header, neither of which matches, in any way, the "From:" header.

      I'm not saying that everyone should know how to dig through email headers, until they have to -- but those are just the technical "duh" factors. There's also the nontechnical one -- I didn't make a video, and I didn't upload it to Youtube. I might click that link out of curiosity, but clicking a normal Youtube link doesn't ask me if I want to download or open anything.

      So what's sad to me is not only that this kind of shit still happens, but that you, like many others, consider it to be "not stupid, just a little naive." We require Driver's Education in my state to operate a car, which is significantly easier than a computer -- if you don't know how to use a computer, it absolutely IS your fault. Go educate yourself.

      As for the browser vulnerability, nope, sorry, read TFA. It's the exact same thing as the email "virus" -- it just has Youtube links to an exe file. Another one is even more obvious -- the link includes the nappy IP address right there, links to a file calle

      --
      Don't thank God, thank a doctor!
  4. lol by thatskinnyguy · · Score: 4, Funny

    You say "asshats making worms". I say "people creating job security for us IT guys". Sad that its come to this.

    --
    The game.
  5. Google does not terminate spammers. by Anonymous Coward · · Score: 4, Interesting

    72.14.207.191 (blogger.com) is listed in the Spamhaus SBL for their inability or unwillingness to terminate spamvertised blogspot sites. This has been an issue for months.

    "Thousands upon thousands of *.blogspot.com pages, all spammed and used to re-direct to other spammer landing pages"

  6. Re:They have no idea? by Anonymous Coward · · Score: 5, Interesting

    The guy saying "I have no idea" isn't an employee of Google/Blogger, he's just the guy on the outside saying he doesn't know how.

    I'm on the outside also, but can tell you how. Blogger has a mail2 feature where you can post to an email address that you make up, and keep secret. Like a password. With users who makeup easy mail2 addresses (then don't monitor or abandon their blogs), and millions of emails being sent by the Storm BotNet, not hard to figure out how they are getting posted. Eventually the botnet hits them, just like they do with regular email addresses, and they get posted to the blog.

    And also note, the summary is misleading somewhat. The actual files that do the "infection" aren't hosted on Blogger at all. The same thing that is getting sent to peoples emails are being posted to blogs that leave their mail2 address open and easy. So you still have to fall for the click here to get infected...

    This has been going on for awhile. I first saw it at least 2 months ago. It may be increasing, but not new.